4 recommendations for securing
your cloud applications

Security problems are not inherent to the cloud, but they are inherent to being human.

“People are people. We make mistakes. That’s why I’m a firm believer in automation. ... I have never seen a manual process that did not generate more mistakes than an automated one.”

—Tom Petrocelli, research director at Neuralytix

Cloud application security can be a daunting prospect. It’s not always clear where your data lives or how secure it is when it moves between applications.

As research director for enterprise social, mobile, and cloud applications at Neuralytix, Tom Petrocelli regularly addresses agility and security in the cloud. “A lot of companies just are not willing to roll out into a public cloud like Amazon or Rackspace,” says Petrocelli. “They are not sure how to control who sees what once their applications hit the cloud.”

So how do organizations allay their concerns? Petrocelli has the following recommendations:

The cloud is not the problem.
Many companies think that the accelerated rollout of new features via the cloud excuses making security the priority. “The cloud is not causing the problems. It is actually enabling you to deal with them better by providing you with an agile development environment,” he says. “Consider how you can better use that agile environment in the cloud to roll out and enforce your security policies.” For example, imagine you are a financial services institution. You can tackle a finer partitioning of data views one region at a time, instead of across the whole company at once.

Get the right tools to protect moving data.
“While many companies keep their most vital data on-premise, there will be times when it lives in a hybrid world. This is the very nature of agile cloud development and deployment,” Petrocelli notes.

Enforce a chain of ownership.
Do not make data security the responsibility of a single data owner. Consider this: data is owned by anyone who has the ability to change it. “The employee in accounts payable who can modify records—her name is on the data once she touches it. Isn’t it partly hers now?” Petrocelli asks.

When you are talking about something critical to your organization, such as intellectual property, there is little room for accident. Petrocelli advises establishing and enforcing a chain of ownership, particularly in a hybrid cloud environment. He says owners should be aware of who touches the data, what they do with it, and how they analyze it.

Offset human error using automation.
“People are people,” Petrocelli says. “We make mistakes. That is why I am a firm believer in automation—for everything from data masking to enforcing chain of ownership to auditing security policies. I have never seen a manual process that did not generate more mistakes than an automated one.”

In other words, remove the potential for human error from your application environment as much as possible. “If you are working with an agile infrastructure in the cloud, automation can be your best friend,” he says.

To achieve greater flexibility, businesses need to be able to shift applications to the cloud without worrying about security risks. Acquiring the right resources, showing ownership, and automating the process can help.